Best Practices for Swapping Out Phones While Managing MFA and Conditional Access

By
Elli Mongillo
-
0
9
Asked By TechWiz34 On

We're gearing up to replace over 180 cell phones—30 iPhones and 150 Androids—in the next few weeks, primarily for our field technicians who need them ready for action. We've implemented Intune, requiring everyone to install the company portal or management profile on their devices. With conditional access policies in place, only compliant devices can access company resources, and MFA is mandatory for all users.

For the phone swaps, our current procedure involves requiring users to re-register for MFA, setting up a temporary password, scanning a QR code for Intune, and then using that temp password to set up the new phone. However, this leaves users potentially without access if they haven't verified their MFA recently. What's a more efficient way to manage this process without having to disable MFA on their accounts?

5 Answers

Answered By DocuMaster9 On

Creating a detailed step-by-step guide for users could help a lot, covering things like unboxing, setting up the new phone, MDM enrollment, MFA registration, and returning the old device. Stagger the swaps, too. Having 180 people trying to switch at once could be a recipe for disaster!

Answered By MFAWhisperer91 On

Definitely go for a TAP to handle MFA setup without user password resets. This way, you keep everything running smoothly during rollouts!

Answered By HelpdeskHero42 On

If you're unsure about Intune, consider using what's called 'device staging.' It helps with setup without resetting passwords on the user accounts. I’d also advise against requiring users to re-register their MFA. Instead, use TAP for easier transitions.

Answered By SupportScribe87 On

Make sure users set up the new phone via aka.ms/mfasetup first before returning their old phone. However, I get how this is tricky because they can't really do that without having the old phone for initial sign-in.

Answered By GadgetGuru21 On

Honestly, I've handled this a few times without ever needing to touch a device. You can fully automate it! If you want a hands-on approach, I recommend using a Temporary Access Pass (TAP) during setup. You do a few taps at the start and scan a QR code, entering the TAP when prompted. This avoids MFA complications. Just push the necessary apps and policies via Intune once done. Make sure to send them the device PIN through a secure method and not with the device itself.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.